Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

detecting clients using excessive bandwidth

I wanted to find out if there is any way to indentify which clients on a particular network interface are using a certain amount of bandwidth. We have an ASA 5510 with four interfaces including the internet and one network is generating an excessive amount of inbound traffic from the internet and I want to determine which client system on that network is generating the traffic. Is there a log or a setting to allow me to identify that client system by IP or Mac address?

7 REPLIES
New Member

Re: detecting clients using excessive bandwidth

There is a painfull way.

See the amount of encrypted or decrypted traffic in the IPSEC SA. Hope this helps.

New Member

Re: detecting clients using excessive bandwidth

Hi,

You could setup a rate limit using police within a policy-map and see when its triggered. This would allow you to control the amount of bandwidth used, and to log when the threshold is breached. However police is only applicable to egress traffic, and would affect all traffic defined by the match specified within the appropriate class-map, so I guess theres no way to narrow this down without knowing the culprit.

Hope this helps,

Glen

Re: detecting clients using excessive bandwidth

Hi ..

In this scenario I suggest you to use a packet analyzer such ethereal ot packetizer .. you can get them from the web just google it. You could mirror the port connected to the ASA's interface that links to te network having the problem. This will give you an good idea of top ten connections etc... Also there is another tool statseeker .. you could get a trial version for 30 days.

I hope it helps .. please rate if it it does !!!

Re: detecting clients using excessive bandwidth

also...

Instead of setting up a port mirror simply perform a local capture on the ASA and export it to ethereal. (via a copy /pcap). If you make it a circular capture you could leave it running to have the data always available whenever you need it.

Another option (more long-winded though) would be to put an access-list on one of the interfaces with a separate line for each IP. A "show access-list" would then give you a quick overview of IP address activity.

HTH

Andrew.

New Member

Re: detecting clients using excessive bandwidth

Not a cisco answer, but an easy one. If you have a span port of the traffic, connect a linux box and use ipaudit (http://sourceforge.net/projects/ipaudit). Very lightweight and passive. Web-based 'top-20' reports to give you exactly what you are asking.

Option #2: Netflow from border/edge router.

New Member

Re: detecting clients using excessive bandwidth

Thanks for all the suggestions, so far we have applied a policy map to limit bandwidth on that interface to 256k which doesn't answer the queston but stops these clients from eating up the T1. I'm going to try a couple of the non-cisco suggestions using a linux box on that network to monitor activity more closely. Again thank you all for some very useful and interesting suggestions.

Re: detecting clients using excessive bandwidth

Another App you could use is N-top www.ntop.org. Very good web reporting in combination with a span port. It has linux and windows versions.

Patrick

273
Views
4
Helpful
7
Replies
CreatePlease login to create content